Why cybersecurity is a business priority
Haider Pasha, Senior Director & Chief Security Officer, Emerging Markets at Palo Alto Networks, talks about why cybersecurity today requires a complete rethinking.
Why cybersecurity should be top-of-mind for every organisation in this region?
If you looked at the smartphone apps ten years ago, before the Apple iPhone came out, none of them relied on an Internet connection. Today, pretty much every app on your phone needs connectivity. With this growing reliance on IT, there is also a corresponding increase in the creativity of attacks. If you follow the Allianz risk barometer, cybersecurity was ranked as the second biggest global risk to organisations last year, ahead of natural catastrophes.
You have made a bunch of threat predictions for this year. Will cryptomining be the biggest threat facing us in 2019?
I have made six predictions, out of which two are positive because people tend to perceive cybersecurity as bad news. In the fintech space, many new organizations are coming, and these companies will rely heavily on cybersecurity, specifically in the form of multi-factor authentication.
Cryptomining will continue to be a problem and organisations need to do a better job of focusing on basics to prevent these types of attacks. They are being hit not because hackers are going at them with sophisticated tools, but because they don’t do two-factor authentication or secure their data centres where crypto tokens are stored.
How important is basic cybersecurity hygiene?
I think user behaviour is important and cyber-hygiene should be part of every organisation’s DNA. This message should come from the top because cybersecurity is no longer a technology problem and has become a boardroom level discussion.
Another prediction I made is around legislation – GDPR was kicked off last year, but we didn’t see major penalties straight off because breaches are being investigated. This year, you will see organizations penalised for those breaches.
Along with cybersecurity hygiene, it is equally important to focus on legislation and work in parallel with your company’s legal counsel to understand the implications of local and global legislation on your business.
Who should be held responsible for security? Is it fair to blame only the CISOs when a breach happens?
That is not always the case. If you look at some of the high-profile breaches such as Equifax and Target, top executives were held responsible. But if one person should take charge of cybersecurity, it is usually the CISO. Having said that, the whole c-suite should be accountable for security, and it is the job of CISOs to create that awareness among their boards.
In that case, shouldn’t CISOs be speaking a different language?
The question is, are CISOs today speaking the right language? Recently, we organised a CISO level discussion in our region, and one of the topics was the top ten questions about cybersecurity that boards will ask CISOs and how to answer them.
Some of the CISOs in the room were not comfortable talking about business or tie back the threats they see to business impact. However, some of the CISOs from larger organisations were comfortable speaking the language of business. It requires a change in both sides – boards need to be a bit more accustomed to cybersecurity, and cybersecurity practitioners need to articulate the risk to the business.
I don’t think CISOs need to convert 100 percent to the business, and same holds for business leaders. They need to establish a common ground, and in organisations doing this successfully, the big difference is they communicate more often. Majority of CISOs talk to their boards once a year but that needs to change to once a quarter or even every month. It makes life a lot easier for both sides.
How do you rate the cybersecurity maturity levels of organisations in the Middle East?
Every organization is different. Cybersecurity is quite mature in verticals such as banking and finance. However, when it comes to healthcare and even local government entities that cater to consumers, they need to take a step and look at their overall cybersecurity posture. They need to involve all business functions when creating a security framework: Do we understand cybersecurity? What is our security governance structure? Who are the security champions within the organisation other than CISO? Are we mandating the supply chain to have necessary security capabilities they should have before even communicating with us?
These are the questions they should be asking first before having the technology discussion because a knee-jerk reaction to security doesn’t work anymore. Every CISO and CIO need to educate their boards on the trend of security and where they stand in this security maturity curve.